Hi Michal
Thanks for answering
For the missing part :
OS : Centos 7.3 with latest updates
SSSD: 1.14.0 release 43
So, I removed all traces of server1 (which is indeed a linux host)
from AD and tried to re join with the realm command.
Good points:
The sssd.conf provided by the realm command was not far from the one I
had. I guess my understanding of how sssd and kerberos work together
wasn't that bad.
it added:
realmd_tags = manages-system joined-with-samba
ldap_id_mapping = True
Now I have the same error basicly. Reminder, I want my server in
child.example.com but users are in parent domain
example.com
My server1 has successfully joined domain
child.example.com and has a keytab
when trying to connect sssd succesffuly find the multiple AD servers
and SSSD ad backend is seen as online.
[ad_get_client_site_done] (0x0400): Found forest:
example.com
[ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers
[fo_add_server_to_list] (0x0400): Inserted primary server
'ff1pdc01.child.example.com:3268' to service 'AD_GC' # Domain
controller for
child.example.com
[fo_add_server_to_list] (0x0400): Inserted primary server
'ff1gdc01.example.com:3268' to service 'AD_GC' # Domain
controller for
example.com
After that I have some sucessful ldap connection to different AD
servers and then it searches for my user. But it looks like the search
never goes to domain
child.example.com
and after that it fails because the user doesn't exists in
child.example.com
[sdap_save_user] (0x1000): Mapping user [tbouillon(a)example.com]
objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID
[sdap_save_user] (0x0400): Original memberOf is not available for
[tbouillon(a)example.com].
[sdap_save_user] (0x0400): Adding user principal [tbouillon(a)CCMP.INTL]
to attributes of [tbouillon(a)example.com].
[sdap_save_user] (0x0400): Storing info for user tbouillon(a)example.com
[sysdb_search_by_name] (0x0400): No such entry
[sysdb_store_user] (0x1000): User tbouillon(a)example.com does not exist.
On a classical shell if I do: "$ id user1.example.com" I have a correct answer.
On 2 August 2017 at 13:19, Michal Židek <mzidek(a)redhat.com> wrote:
> Hi,
>
> You did not mention what SSSD version and what OS you are using.
> I have few questions, see inline.
>
> On 08/02/2017 10:59 AM, Tristan Bouillon wrote:
>>
>> Hi
>>
>> I have this case I'm working on and it's driving me crazy. I try to
>> setup something like this:
>>
>> AD setup is like this with be-directional approbation:
>> -
example.com
>> \--
chlld.example.com >
>> Have users registered in
example.com => user1(a)example.com
>> computers are registered in
child.eample.com => server1(a)child.example.com
>>
>> I want to connect with user1 to server1 with ssh and sssd.
>
>
> So, server1 is a Linux host, right? You can add it to the
>
child.example.com domain using 'realm join CHILD.EXAMPLE.COM'. It
> will automatically add server1 to the
child.example.com
> domain (so it did not have to be there before).
>
>> Before any debug process I want to make sure this is possible because
>> i'm running in circle.
>>
>> When setting up sssd et krb5 confs with
child.example.com:
>
>
> IF you set up SSSD manually there is a lot of room for errors,
> I recommend using realm join and then just tweak the sssd.conf
> in case something does not work the way you want.
>
>> -- sssd nss says:
example.com is created as a subdomain of
>>
child.example.com
>
>
> This is OK. The 'subdomain' may be a little bit confusing, because this
> refers to an internal C code structure that represents a trusted domain,
> not an actual subdomain in the DNS sense. IIRC we changed the message
> recently to be less confusing.
>
>> -- but AD backend is online for
child.example.com and i can query it
>
>
> You mean SSSD AD backend is running on the Linux host server1, right?
>
>> -- the query for user1(a)example.com works great but the AD server in
>>
child.example.com does not know the user and can't query his master AD
>> server.
>
>
> I do not understand what you mean here. So, on the Linux host (server1),
> if you query the user1(a)example.com, user info is returned. So what
> operation on the Linux host is not working? (getent, su, ssh ... copy
> paste the problematic commands and see our troubleshooting page).
>
>>
>> When setting up sssd et krb5 confs with
example.com
>
>
> Again, realm join should set up everything for you. If you join the
>
EXAMPLE.COM realm then the server1 host will be added to the
example.com
> domain (you said you wanted them in the
child.example.com, so I am
> not sure if this what you want to do, but you can try it if it works
> for you).
>
>> -- it attempts kinit with
host/server1.child.example.com and fails
>> to get a tgt. AD is set to offline and it cannot query it.
>>
>> When trying to mix up theses solutions I find something similar to the
>> cases above.
>> If it is possible can someone point me towards the configuration I'm
>> suppose to make.
>
>
> Try using the realm join command from the Linux host to avoid hand
> crafting the configuration. Note that the AD domain controller for
> the domain you are joining to must be DNS resolvable from the Linux
> host.
>
>>
>> Don't know if it's the place but GG for the debugging options provides
>> with SSSD, it is clear and powerful.
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org